- File Systems, including Windows, Unix or Linux operating systems;
- Databases, including physical and virtual platforms that can monitor changes in the schema as well as content;
- Directory services, or applications such as Lightweight Directory Access Protocol (LDAP), Active Directory, etc;
- Virtual Infrastructures, including components of a virtual environment, such as the VMs, hypervisors, and virtual switches; and
- Network devices, including routers, switches, firewalls and other devices.
File Integrity Monitoring (FIM)One part of the SCM solution is File Integrity Monitoring (FIM), which is the process of validating the integrity of OS and application software files by comparing the current state of the files with their ‘known-good’ baselines. According to the 2015 Verizon Data Breach Investigation Report (DBIR), in 60 percent of cases, the attackers were able to compromise an organisation within minutes. Verizon also states that one of the primary challenges in the security industry is the growing "detection deficit" between attackers and defenders. Having a good SCM solution in place that includes FIM will help detect deviations from the baseline, that is, help identify abnormalities in the configuration of the system in question. FIM is an important component of SCM. What if a system’s OS or critical configuration has already been weakened, either by accident or maliciously? How would you know? SCM helps prevent attacks by creating a known and trusted state for your endpoints, or ‘nodes.' FIM will automatically detect changes in this state and alert you to a potential threat. When it comes to FIM solutions, there are vendors out there who offer agentless solutions. Whilst these solutions may be good enough for certain compliance requirements, fully agentless solutions lack the depth of agent-based solutions or hybrid solutions using both methods. Furthermore, agentless solutions do not operate in real time. The data is only valid at the last active scan, which is often not performed frequently enough. https://www.youtube.com/watch?v=rLuC5lnpThU&feature=youtu.be
PolicyA SCM policy is a collection of standards to which monitored systems on your organisation's network must conform in order to comply with either internal or external regulations. As such, a good SCM solution will allow you to import a number of policies and create your own based on these policies. Each policy will have the following four components:
- tests that check the state of a specific configuration setting;
- scores, a measurement the overall conformance of a system or device;
- weights that indicates the relative importance of a test; and
- thresholds that set the color and a score ranging from the lowest to the highest to separate urgent failures from less urgent ones.
Putting It All TogetherI have covered two major components to SCM: FIM and Policy. But there are other features that SCM vendors add to compliment their solutions. These include third-party integrations, reconciliation and remediation, and other products within that vendor's portfolio integration. Before purchasing a solution, though, it’s a good idea to do some research first. The following points should be considered:
- Scope – Ensure you are acquiring from the right systems, including servers, virtual infrastructures and network devices.
- Administration – Identify who would need access to your SCM solution, such as system administrators, auditors, analysts and consumers.
- Hardware – Ensure you gather the system requirements from the SCM vendor. It’s advisable to over-scope the system rather than meet the minimum requirements so that it gives you opportunity to expand on existing infrastructure.
- Instantly assess the strength of their system and network configurations
- Harden systems to organisational security policies, standards and guidelines
- Provide on-demand technical and executive-level reports and dashboards
- Communicate the overall security posture in ways the business understands.